HeroDevs

Rails 6.1.x

NES Release Notes

6.1.7.32

Bug Fixes

  • CVE-2025-61919: Rack::Request#POST reads the entire request body into memory for Content-Type:application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
  • CVE-2025-61780: A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Notes

  • No changes in Rails
  • Bumped Rack version requirement to version 2.2.20.0

6.1.7.31

Bug Fixes

  • CVE-2025-61770: Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
  • CVE-2025-61771: Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
  • CVE-2025-61772: Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

Notes

  • No changes in Rails
  • Bumped Rack version requirement to version 2.2.19.0

6.1.7.30

Bug Fixes

  • CVE-2025-59830 (rack) Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Notes

  • No changes in Rails
  • Bumped Rack version requirement to version 2.2.18.0

6.1.7.29

Bug Fixes

  • CVE-2025-24293 (activestorage) allowed transformation methods that were potentially unsafe
  • CVE-2025-55193 (activestorage) logging vulnerable to ANSI escape injection

6.1.7.28

Notes

  • No changes in Rails
  • Bumped Rack version requirement to version 2.2.17.10

Bug Fixes

6.1.7.27

Notes

  • No changes in Rails
  • Bumped Rack version requirement to version 2.2.14.10

Bug Fixes

6.1.7.26

Notes

  • This is the initial release of the NES Rails 6.1.x series. It also includes the release of NES for Rack v2.2.13.10.

Bug Fixes

  • CVE-2025-27111 (rack) - Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
  • CVE-2025-27610 (rack) - Local File Inclusion in Rack::Static
  • CVE-2025-25184 (rack) - Possible Log Injection in Rack::CommonLogger
  • CVE-2024-47889 (actionmailer) – Fixed a possible ReDoS vulnerability in block_format in Action Mailer.
  • CVE-2024-47887 (actionpack) – Fixed a possible ReDoS vulnerability in HTTP Token authentication in Action Controller.
  • CVE-2024-54133 (actionpack) – Fixed a possible Content Security Policy bypass in Action Dispatch.
  • CVE-2024-41128 (actionpack) – Fixed a possible ReDoS vulnerability in query parameter filtering in Action Dispatch.
  • CVE-2024-47888 (actiontext) – Fixed a possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
Rails 5.2.x
NES Release Notes
Previous Article